 Welcome to Making Security Makes Sense to Users and Clients. My name is Jamie Schmidt. I'm a community evangelist at Sitelock. We are a web security company. I'm a freelance designer and developer. I'm passionate about WordPress and Ripple, and I'm passionate about content also. I'm a proud cat mom in Portland, Oregon. Yes. What we're going to cover today, a list of things here. Securing your own site, why it's important to secure your own site and your client's sites. The benefits for you when you do both of those things, how to communicate the benefits to your clients and users, and explain it to them in a way that they'll not only understand, but in a way that they're going to want you to actually secure their site, including in the project scope, and then we'll go over some security best practices, and then end with adding security in your maintenance program, and then going over some maintenance reporting options. I'm also going to touch a little bit on the GDPR. It's a big topic right now, and it goes into effect next month. So it's something that everybody needs to at least have an idea of what it's all about, even if you're not necessarily directly collecting data. So I just want to talk about why securing your site is a good first step. So securing your own website. You want to own your reputation. Website hack attempts happen every single day, and you're the person that's providing this service. So having familiarity with what is all involved in securing your site, and also having a site that is not hacked is a good thing. It always looks good when your website doesn't show an error message on Google, that the site has been compromised. So you want to go through the process yourself so you know what you're talking about. Having the familiarity with security best practices means that you're not only experienced in that, but that you're going to have first-hand experience to be able to communicate to your clients. If you've ever gone through a hacked site or your own site was hacked, you're probably more motivated. Just like any client of yours that has possibly had a hacked site, they're going to be more motivated to have security on their site. But the clients that have never had it, or if you have never had it, it might be hard to really understand why you need security. Because if your site hasn't been attacked yet, it might feel like it's secure, but that's not necessarily the reason you haven't been hacked. It's just a matter of yet. And then protecting your own business. It's directly related to protecting your reputation. You don't want your business to be compromised. You want any information that you may be storing on there to be compromised. You don't want to have a reputation as the one person in town whose website was compromised when somebody did a Google search. You pretty much only get one chance when they go to your website and looking for website services, and your site has hacking things on it, or it's redirecting to a third-party site. They won't come back. They're going to go to somebody else. There's plenty of website services out there. So you really only get that one chance to have a site that's secure. So making sure that your own site is secure is first step. And then the benefits of securing your client's sites. So I have a little bit of a story of my own experience. And if we're web developers in here, we probably have experiences with various levels of hacking or security compromise. So I had a client last year. I took on an existing WooCommerce site. And when we were talking about her collecting payments, she wanted to move from PayPal I think she was using to something more advanced like Stripe. So we went through what she was currently doing and she mentioned to me on the phone, I couldn't tell this from looking at her site, but she mentioned to me, she said, well, when people buy something on my website, my last developer set it up so that I get email forwarded their credit card numbers and their information. And I was like, oh, you're doing that right now. Okay, we're gonna stop that immediately. So if she hadn't told me, I might not have known that right away. And I might not have known to look because that's not something you assume is happening. Most web developers won't do that. In this situation, either the developer she had wasn't knowledgeable enough to know that that's a bad idea or he was knowledgeable enough that he didn't care. Either way, it indicates that there are probably other things going on with that site than there were. But so it's in your best interest, especially if the site was developed by somebody else because you know what you've done, you don't know unnecessarily what you're inheriting. And frantic phone calls from clients that their site has been hacked never come at like 11 o'clock on a Monday morning when you had your coffee and you're ready to sit down to work. They'll come at like Friday at like eight at night. And then you spend the entire weekend fixing something that's hacked. They'll come over, you know, while you're out with your kids or your friends or you know, it's never convenient. And it's obviously not convenient to them either. You wanna avoid that situation obviously. And it's just sort of our responsibility as their technical contact, they're gonna automatically come to you for these things anyway if you're a developer. And you don't wanna spend your weekend fixing something. It gives you peace of mind knowing that you're not gonna spend your weekend fixing something. Putting security practices in place doesn't guarantee you're never ever gonna get end up with a hacked site. There's a lot of different factors. Some of the things that we go through today are gonna mitigate a lot of those. But the peace of mind that you've done basically everything within your power. We can't force a client to take our services. We can't force them to have security. We can't force them to do anything really. But we can educate them and we can tell them that this is what should be done. We can also say that we don't take projects unless they also have the security in place. So knowing that it's something that you've paid attention to is gonna give you peace of mind that you're not gonna get into that situation down the road. So the benefits of educating clients. Like I said before, clients that haven't had their sites hacked probably don't know or care about security. Or if they already do, that's great. But for the ones that don't, it's sort of our job as developers to work to make the internet safer. We're the ones that have the knowledge. So it's sort of our duty to educate clients and tell them these are the best practices. These are the things that you should be doing. When I build websites, I make sure that I build them in a secure way. So when I was talking to the client that had the emails forwarded to her, I said, I don't do this, we're not doing this. If I'm taking on your site, we're getting rid of this and we're I'm doing an entire security audit of your site before we do anything. Because I don't wanna be, I don't wanna look bad. I don't wanna be liable for anything. I don't want her to lose her business which she easily could have. So just awareness, general awareness, making the internet safer for everybody. So then the question comes down to who is responsible for security? So your client probably thinks that it's either you or the web host. The web host thinks that it's you and the client. And you know the truth that it's really, it's everybody's responsibility. Ultimately, it's the client's responsibility because they're the end point. If information gets compromised, they're the ones that are gonna get sued. In turn, maybe they can sue their host, maybe they can sue you, but they're gonna be the first one that this dropped down on. So ultimately it's them, but you're the developer. So you need to communicate that to them. I needed to tell that client that in the event that somebody were to log into a Google account and see these, the credit cards, her life would pretty much be ruined. She would, she would be over. So I had to flat out say that and say, you need to learn about these things. I'm gonna tell you about them and we're gonna put things in place. But it's ultimately up to you. So the web host also has some responsibility here. Their responsibility and their interest is mainly protecting their servers because especially if you're on shared hosting, they're hosting many other websites and the same server as you are. And depending on the type of vulnerability, it's possible that somebody could get in through your website and worm their way into other websites on that server. And once that happens, then the hosting company is responsible for those other websites because that was, you know, the vulnerability happened at their point. But then it's also your irresponsible. You have to tell the client what they need and you have to know what the client needs. So that you can tell them, make sure you have a host that has so-and-so in place. Make sure that you're, you know, keeping things updated, using a secure password. So it's not always, like you don't wanna go up to a client and be like, look, this is your responsibility. Just, you know, you just have to do it. I think that making them understand, so I have like this little analogy. I love analogies. It helps me to explain things to clients. So if you think of this whole situation as like an apartment complex, a condo complex. So you are the person that built the building, right? You went through and you're insured that it was up to code. You made sure that you built locks on the doors that maybe the lobby locks, maybe it's gated, whatever. And you made sure that the wearing works. You built the building. You put the security pieces in place to be used. You don't necessarily enforce them because you're not living there. But so then the web host comes in and they're sort of like the maintenance person or maybe they're sort of like the superintendent. They make sure that the locks are always in working order. They make sure that when you walk into the lobby, they greet you and they know who you are and they don't let people come in. And then it comes down to the website owner who is responsible for locking their door. If they have a lock on the door and they're not using it and someone just walks into their house, like it's not the person that built the house. It's false, right? It's not the maintenance man because the locks work. So kind of understanding that, yes, everybody has a part in it and understanding what everybody's part is can kind of show them that the responsibility lies pretty much on everyone. Yeah. So I have a question. Did you, the client clearly has to identify that yes, I agree this is my ultimate question? So I offer it as either an ongoing thing or a one-time setup. And then I have a verbiage in place that says that if you don't take this, you're responsible for setting them up on your own and I'm not liable. I think it's like I have gone through educating you on what you should be doing, but it's ultimately up to you to take it. So just, I'm gonna repeat it for the camera. He asked if there's a clause in my contract that holds me not liable for a year in case the user uses an insecure password and then somebody logs in in their account and deletes a site. So I don't have that specifically, but part of my education is secure passwords. So there are things that you can put in place to make sure that they do use secure passwords and you can show them ways to store and manage their passwords so that they're not getting hacked. But if you have a disgruntled employee that leaves and you don't change the password, that's on you, you have to change the password. You have to get rid of their accounts when they leave. Right, that's why you sell them backup security. We will, if you were in the talk earlier, I think it was yesterday on backups, there was an entire talk on backups. So if you missed it, the talks are gonna all be on WordPress.tv, so you can check it out. Did you have a question? I don't know the exact answer, that's a very specific legal question. Well, I don't want to assume that Google is taking your private email content and selling it. So I can't, you know, storing your stuff on somebody else's machine anywhere. This is where you say, I'm not a lawyer. Ask your lawyer. Anyway, moving on, another benefit to addressing the security issue with clients is additional revenue. A lot of people, a lot of developers are not talking security when sites are built. There was an agency that when I first started doing web development, a couple of them actually, 10 years ago, even less. Neither of them really did security at all with the client. And I didn't know it then because I was just starting, but I know now that the websites that I was building at this company, we had some general security services. Like we had a service that was like SiteLock, like what my company does. Well, we didn't have any education in place. We weren't doing updates. If the client wasn't taking the updates, there were, like we weren't doing that education. So like that's sort of like ground zero for the beginning to your security plan. So a lot of places aren't doing it. So knowing about it and then communicating to potential clients that this is an important thing and that you're knowledgeable about it and you know how to put these things in place to protect them, it sets you apart from other developers. And even if the client doesn't go with you, there's still a chance for them to come back later and because they know. So maybe they're gonna come back to you when they have hacked site, which like it sucks to fix hacked sites. But that's a client that now trusts you and they know that when they talk to other people that don't mention security, they'll be in the back of their mind thinking, well wait, they didn't say anything about security. Like this other person immediately brought it up. So, and then there's the residual income, including security as a service that you offer or including it as a one off or even tacking it on to a part of your overall project that people can pay more money for that. Whether you're doing monthly maintenance or you're just doing the one off. So, the benefits of communicating the need for security effectively. It starts with education, educating the client that it's a thing, it's a thing that they're responsible for. It's a thing that the host is not responsible for. Clients will kind of, sometimes when you start getting very technical, they'll tune out, they'll assume they're not technical enough to understand it to make a decision. But if you break it down into like sort of like three basic questions of what's going on with security issues, it kind of makes it easier to understand. So why do hackers hack websites? Granted, there are still people sitting there in dark basements that are just like nefariously like hacking away at things. Like the 90s movie Hackers, if anybody remembers that. But these days, the majority, like the biggest majority, hackers are done by bots. So it's not necessarily for defacement anymore, like somebody hacking your site and saying, oh, I was here, cool, I hacked your site, I'm awesome. It's for financial gain. So these sites are getting hacked and they're getting redirected to other websites. They're distributing malware on your site that can possibly infect your visitors. So even like small sites, hackers don't discriminate. They will go after small sites if the vulnerability is there. Even if it's a small site, you can still be distributing malware with your site. So they don't really care. So why and how? I mentioned that it's mostly bots. First, sure, the majority these days are bots. So that's where the word malware comes from, malicious software. And this is really the most efficient way for hacking these days. Scripts are written that can scan the internet and they can look for known vulnerabilities. For example, when WordPress puts out a security update, they'll see what the security issue was. They'll do a search. Sometimes they can do a search for contents of a file on your WordPress site. And they can get those results as a Google search result. They literally will just have a list of all the sites that are able to be hacked. It can be that easy. Not always, but scanning through things. They look for things like outdated software. They'll automatically be trying your login form with passwords, trying for different passwords that are easy to guess. Any newly discovered vulnerabilities. So it's not people just sitting there typing in things. It's bots and bots are fast and bots are constantly running. They're constantly attacking. But when I said constantly, I kind of gave that one away. Hacking attempts happen pretty much all day, every day. So we recently published a quarterly security report and we figured out that on average, websites experience 44 attacks per day. That doesn't necessarily mean that you're getting hacked 44 times a day. It means that bots are making an attempt. And if you have things like a firewall in place, they're not even getting to your site. If you have something like two-factor authentication or something like limit login attempts on your login form, they're making those attempts and failing. And you might not necessarily even know that these things are happening, but all the things that are preventing them to getting to your site are all security measures that are in place. And a lot of those things will keep a lot of them away. But a lot of the things that you can do are gonna keep the rest of them away. So I had a little video here. This isn't the live video because the live video, oh it's gone, oh come back. No, okay. Well anyway, if you go to Norse, the Norse Security Vulnerabilities Map, I tried loading it on the site but it's not loading. So they actually have a live map that's up. And it's pretty fun to see. It loaded for a second there. But it's got, it's a visual of sites that are constantly going and being hacked, where they're coming from, where they're going to. And it's not showing all the attacks that are happening because there's millions. It's just giving you an example of what is being targeted from their own targets that they have set up to measure these things. So it's kind of an interesting thing to look at. Well it's not, hey it keeps, I don't know what's not working. Well it was zoomed out a little bit. It's the whole world, it's not just the US. Okay, so benefits of implementing these five simple website security best practices. And they're not hard to implement, fortunately. Doing these five things are gonna get you really up to speed and ahead of a lot of other people that are not doing these kind of things and they'll mitigate most of the security issues that you're gonna run into. So the first one isn't necessarily gonna prevent anything, but it's backups. So having backups are obviously going to help you in the event that you do get hacked. You have something to restore while you work on figuring out what the vulnerability is. I have a fun story again. I was taking out a new website and I was migrating over to another host for my client. And I was looking at it and it turns out that their site was something like 30 gigabytes. And it was an e-commerce site. She's like, oh we have a lot of products. I'm like, I don't think you have that many products. But I'm like, okay, we're gonna get migrated over and then we'll figure it out. So I ended up trying to migrate it and it turns out that I couldn't even set up the staging because her site was so big that she would have had to go to the very highest level. She had no business with her small business being at this highest level. So I was like, okay, let's look at what you actually have stored on your website. Some people upload, like maybe they have videos they forgot about. Sometimes people just dump the entire contents of their camera straight up. So you know, it's usually content. So I was poking around and I noticed a folder in there. I don't remember what it was, but it was a backups folder. And I popped in there and it was about 30 gigabytes of backups that they've been storing on the website since 2012. So don't host your backups on your same server. Not only because of that issue with size, that's not even really an issue. But because if somebody can get into your hosting, they now have access to everything, backups a lot of the time, even backup databases. So even though, if they were to get into FTP, they wouldn't normally have access to your database. But now that your backups are stored there, they can grab those backups on Zipm and now they literally have everything. See, don't want them stored there. So I kind of went through this. There's backup solutions. I know that Peter talked to her yesterday. I'm not gonna go into it too much. But so there's basically three main ways. And one is through your host. A lot of hosts will offer backup. Don't assume that they do offer backup. And if it says they do, don't assume that it's the right kind of backup that you will need to recover your site. A lot of times hosts have backup and it's only for their own use in case a small thing goes wrong and you don't necessarily have access to it. And it's not necessarily restoreable. Sometimes they'll only backup a certain part of your site just so it's more efficient for them to store. So if they are doing backups, take a look. And if you wanna go that route, see what they're offering. Make sure that it's happening on a regular basis and make sure that you can grab that and fully restore the website on your own from that backup. If they don't do it, or if you don't wanna deal with them, you don't wanna pay for whatever. There's other solutions that are more WordPress based. There's VaultPress, BackupBuddy, UpDraftPlus. Those all sort of allow you to schedule backups and then save it to some other place. They also allow you to save it on your server, but don't do that. I'm getting a little fancier if you do some kind of more involved development setup. You can run scripts that automate these backups or you can do a manual backup, kind of a pain, but it's possible and sometimes you have to do it for whatever reason. Updates. So this is the biggest and easiest thing that you can do for website security, keeping your site updated. Like I said before, bots keep track of vulnerabilities. WordPress is open source. When we find a vulnerability, we don't publish it right away. We figure out a fix, we push the fix, and then it's published because anybody can look at the code and see this vulnerability, which is why WordPress tries to push out an update before publishing it to the world. A lot of WordPress security updates are automated. But you can turn those off for whatever reason. So making sure that your client or you are keeping the site up to date, WordPress core, vulnerabilities are found in core and they're fixed as soon as they can be fixed. But that's only core. So when security issues are found and core fixes them, there's still your plugins and your themes that are reliant on a lot of those functions. And if one of those functions was insecure and your plugin was using it or your theme was using it, then the vulnerabilities could still be in your theme. So not only keeping your core updated but also making sure your theme and your plugins are updated is pretty critical. And I just did a blog security series on WP district, which is our site like security blog. And it was a five part series that kind of goes through everything that you need to do like backups, keeping things updated, what to do when an update breaks your site, how to set up a staging site. So if you go to our Twitter, it's sticky posted at the top and you can learn more about that entire process. So number three related to your questions is the strong unique passwords. There are a lot of things that you can put into place that'll basically force the client to be secure. Like you mentioned the two factor authentication, which means that in addition to putting in a password, maybe the client has to confirm that they are who they say they are by receiving a text with an authentication code. It can go so far as literally having a USB stick that they have to plug into their laptop in order for it to be authenticated. That sounds like futuristic and sci-fi will be, but those things are all in place just to make sure that passwords are strong, the person logging in is who they say they are. And clients and people in general, not just clients, like to use passwords that they can remember and passwords that they can remember are usually like single words or the word password or like one, two, three, four, five. So there's a website right here, this have-i-been-pwned.com slash passwords and yes, that's a P instead of a W. It's a website where you can type in your password and do a search and it'll tell you if that's like a known password that's checked when bots attack your site. So now, once you type it in. Well. Do they save it? No. Well, we don't know they don't save it. We don't know anything, that's true. We don't know anything if you tell anybody anything you don't know, they're gonna keep it a secret. But it'll tell you if it's known in a database of passwords. Use a password manager. Password managers are so amazing. I try to get a client set up with them. Did you have a question? Oh, you're just stretching. I use a password manager if you have an agency and you have to share passwords between your company, especially if you have people working remotely. Using one of these password managers makes it easy to share passwords rather than sending it through an email or sending it in a Slack chat. But also as a developer, you can keep all your log install the sites that you're working on and it can automatically generate a very secure password for you. It'll save it in your local repository. You do have to remember one password which is the password to open, the password protection management which also should be a secure password but it's only one to remember. And there's a lot of times they'll have mobile versions. So you know, not just for client sites, but anything if you're logging into amazon.com or Facebook, like all those places. There've been a lot of reaches of security that we've heard of historically and recently. And you don't want the same password, if you're using the same password across 40 different sites and one of them gets compromised, they'll be able to log in everywhere with your username and they can try it. They have all the time in the world because their bots don't sleep. So firewalls and CDNs. So now we're getting into like more technical things. And these are things that you necessarily are not gonna build on your own. So firewalls. There's two basic types of firewalls and so like firewalls are hardware and software solutions that prevent certain bots from even getting to your site in the first place. So like the analogy of like the gated community. They'll come up to the door and they'll be like, please show me your passcode or your card. And they don't have the card. They're like, okay, good day sir. And they turn around and they leave. So they can't even get in. That'll protect a lot. Hackers and bots are constantly pounding on these firewalls trying to get in and they do a really good job of preventing them. So there's two different kinds. There's a network that lives on your host, your web host and then there's the web application firewalls that are the responsibility of the site owner. And that's an add-on service and that's an add-on service that you can communicate to your client. But also knowing that your host has a firewall. Good information to know. And another thing that they do since if your site is constantly being attempted by these bots that can take up bandwidth. And a firewall makes sure that that never hits your site. So it can speed up your site. And then a CDN is basically storing your files in a distributed network across the world. So that will help with load time and sometimes the security scans will be done on these CDNs. These CDNs typically have very strong firewalls in front of them. So those are two things that you should put in place that'll stop a whole lot of things. And then finally the con... Well, I'm glad you asked. Sightlock actually does have a web application firewall and there are other ones also. Talk to me later. So continuous monitoring. This is pretty much a hands-off thing for you. You're not able to constantly look at the FTP of your site and look at all your files and be like, oh, that file drilling down for folders deep, that file was changed today. I should check that file and make sure that it wasn't an injection of some kind of code. So you're not gonna be sitting there looking at that. So there are services out there that do continuous monitoring of your site. They can tell if any code has changed. And then they can tell you that it's changed and be like, hey, we noticed this code has changed. Did you do this? Was it meant to happen? Or is this something that we need to check out? Some places do automated mailware removal so that once it gets popped in, it gets detected and they just spit it back out and they upload the fresh file to your site. So this is another service that you don't have time to sit and do all these things. So having a monitoring service that can tell you when these things happen is another way that you can add on services to your client. How long do I have? 10 minutes, okay. So including it in the scope, including the focus on security in every step just shows you as a professional business owner. It shows you that you're informed, you're knowledgeable and that you are willing or you require this focus on security and that you care about ensuring the success of their business. So it makes you look good. Informing the client from the beginning. It's much more, you have much more success if you include it at the beginning of discussions than if you go to push the site live like maybe in three days and you're like, oh hey by the way, security services, we need to talk security, this is a thing and the client's like, what? We didn't talk about this at all. You mean this is gonna cost me extra money, like. So if you say it at the end, they're gonna assume it's not that important. So make sure that you tell about them in the beginning so that they're aware, so that they know that it's just as important as having nice pictures up on your website, just as important as having a site that loads quickly. Okay, so including security as a service. So if you focus on this at the beginning, it sort of sets you up to be able to demand a higher price for your services because you're showing right away that you got your stuff together, that you know what's going on. And it also sets you up to offer ongoing services, ongoing maintenance, one-off services. Speak your maintenance. Setting up a maintenance plan. I believe there was a talk this weekend about maintenance. So I'm not gonna go into it too much, but how many people in here already have some sort of a maintenance plan that they offer? Okay, so this is probably about half. So tacking on security to your maintenance plan is an option. So now instead of just saying maintenance, you say maintenance and security. Or when you define what a maintenance plan is, you can say it includes security. Or you can offer it as separate to your maintenance plan. But as we discussed, like back with the security best practices, keeping your site updated is like huge part of website security. And that's typically one big thing that's included in a maintenance plan. So you can also be saying now, this maintenance plan is a security thing. So that'll help you sell your maintenance plan in the first place, but then it'll also help you make them aware that security is a thing and that it's not being done automatically. So I recommend two to three levels of maintenance plan or security plan. Starting with something basic, maybe you check it out, you watch for stuff maybe once a month. Maybe it just includes notifying them when something happens. Going all the way up to something that's a little bit more aggressive, where you have content scanning, where you will automatically remove any malware, where you will do a site review occasionally. So depending on what is practical for you, you still have your regular business to run, right? Like you're not gonna be able to spend all your time on maintenance. Maintenance kind of sucks if you've had to sit and do a lot of maintenance. I was once the grunt at an agency and I had to do all the maintenance before I became a real developer and it's all over the place. You get asked to do all kinds of things. So maintenance isn't necessarily fun. But listing on what you're able to do, decide that, like how much time do I realistically have to spend on maintenance a month or maybe even a week? How many clients do you have? How many people are you gonna be able to sell these services to and price it appropriately? It's not necessarily worth it if you're just coming out even, right? You wanna be able to make money off of it because that's your business and you need to be able to support yourself. Another thing is offering a monthly subscription so that they know that they're protected for X amount of money a month. Make sure that you have the caveats in place that if your level doesn't include automatically fixing their hacked site, which I recommend it doesn't because hacked sites can take anywhere from an hour to like a weekend to fix. But make sure you communicate that so they understand what they're gonna get if they take this level, this level, this level. So recurring billing, we were talking about this earlier. PayPal does recurring billing. Fresh books and Stripe also do recurring billing. So you don't have to necessarily chase them down every single month. And you have that knowledge that you have X amount of money coming in for sure every month and that's really cool. As a freelancer, I was a freelancer for seven years and the Feaster Famine that they talk about of you've got a project, you don't necessarily know where the next one is coming from. You're kind of panicking at the end and looking for a new project that happens sometimes. Knowing that you have these recurring payments coming in is like, okay, well I have another $750 a month coming in for sure. Like that's like financial security for your business. And then you can also add it as an add-on service. So that's the one-time cleanup of a hacked site which can lead you into offering the security as a service because they've now learned that they need it. Initial setup of, we'll all put this in place. It's up to you to monitor. You can evaluate. So that's what I did with the client when she had the emails coming in. Or you can just do a consultation. So all those things can be priced out individually. But I highly recommend if you are doing some sort of monthly thing, use a schedule because you don't wanna suddenly remember at the end of the month that, oh my gosh, I have to go through and update all these websites. And wow, I actually wasn't paying attention. There was a huge vulnerability that gravity forms just fixed and oh, it turns out that this fix breaks sites. So keeping yourself aware of what plugins are being updated, taking a look at their, they'll send you emails, they'll have change logs, knowing what's breaking, what's being fixed, how it's gonna affect you. And when you have a schedule, it keeps you on track to start to be aware of those things as they're coming up. So it's not all a huge surprise at the end. So you can automate maintenance and reporting. We're developers, we love to automate anything that we can. Any sort of repeatable task. We're gonna try to automate. If you can, you should. So things like maintenance and reporting are things that can be automated that you don't need to be sitting there and manually doing all the time, including backups. So SILOT provides maintenance and reporting tools. Manage WP has, they're another company that you register all of your websites that you have with them. And they go down and they list every single thing. So this would be like from one website or no, it's two, multiple. It tells you how many themes there are total, 36 themes, that's a lot. How many plugins are there. And then it lists the plugins. And it's like, oh, this plugin has an update. Look, it went from version 266 to 267. And then it has this little update button, which is like, it's a scary thing to push. I recommend just doing a grand sweep of every single website you have and every single update there is, because things break. But you can get an idea of the kind of things that are having updates and you can take a look at them and be aware of them and be aware of who you've all updated for that month. Infinite WP is another one that does it. And then SILOT shows you. So, in summary, security is good, no security is bad. But there's a bonus slide, so I'm gonna get to it real quick. How to get the kitty in there. So GDPR is a thing. Does anybody in here know about GDPR? I know, nobody can really say you're knowledgeable, right? Because everyone's sort of panicking. As if we didn't have enough with Gutenberg coming down and threatening to break everything that we have, there's now GDPR on top of that that we have to pay attention to. And so what GDPR is, is a EU regulation, the European Union. It goes into effect May 25th and it's basically in place to protect data for EU citizens and residents. But it's not just citizen and residents and websites in the EU. It's any website that a citizen of the EU could use in the entire world. It remains to be seen how this is going to play out for sites that violate this. But in a nutshell, what you have to be aware of and ready for is being informed. Are you a controller or a processor? So figuring out if you're the person that's processing information. If you are a controller of that information, Google, Mailchip, SEDGrid, Salesforce, like we're not any of those websites, they have a much bigger thing for GDPR than we do. Well, we have to figure out, are we processing data? Are we storing it any place? How long is it being stored? Do we actually need it? So you have to kind of go through and audit your data so that you know what's all going on. And then in addition to that, it requires transparency. So in your privacy policy page, which is probably something that you haven't been paying too much attention to, you might've just Googled it and grabbed one and just thrown it on your website. It now is a place where you mentioned that yes, you did look into the GDPR, you put these things in place. You follow all these new rules that are in place. So one of the rules is that you have to have consent options at the collection of data. So if you're getting someone's information, you have to have them authorize their consent for collecting that information. And then they have the right to be able to erase that content just by asking you for it. And another thing is that it has to be set up to be like the most, what is it? The privacy setting has to be set at the highest level. So if you notice, if you use Facebook, they just recently had the whole little thing about Facebook information being used. But if you look now at their privacy settings, those are all set to like highest level of privacy. And now you have to go in and authorize those things manually because obviously everyone thinks of Facebook when they think of like privacy and everything. And they're one of the big ones that had a whole lot of work to do for that. Miners, if you have a website that's collecting information on minors, you probably already know that there's laws that you need to follow already. But then we have to make sure that there is verifiable consent from their parent or guardian that they're aware that you're collecting that information. And then finally, designate a DPO that's a data protection officer. Doesn't necessarily mean that you have to hire out a new person for your two-person marketing company. But it does mean that you have to know of someone that's gonna be able to be there for you as a consult or you have to have somebody in your business that is taking it as their responsibility to be informed and to get you ready. So GDPR is a whole another big, big talk and I'm not gonna go any further into it. So thank you. Thank you. Thank you. We're at the word press developer person because there's no way I'm gonna be on top of all these high-level security issues. Obviously you can subscribe to these things but it seems like as individuals who are doing smaller business, getting people set up on websites, we couldn't possibly know all of this. So is there that next level? My client's a one on security awareness and I'm a four. Who do we go to? I'm all right, so maybe a certain is using the last pass at some of these sites but who do we go to for the security help? So her question was as a developer that is not very informed on security and doesn't necessarily want to take it upon themselves to dedicate their life to learning and implementing security, what do you, what can you do? There are security services that you can subscribe to that will take it all upon themselves. Sometimes your host offers that, sometimes it's a third-party service where you can sort of put that trust into them and some of them offer things like white labeling where you can sell it to your client and say, hey, I include security, here's the security results and it just says the name of your company but really you've outsourced that to a third party. So for sure, same thing as like your web developer, you don't necessarily know all about SEO, you tell a client that you can offer the service of a third-party SEO person whose job it is to be really good at that. They also have the same thing with security. So because she can't sell it on stage, I'll say there's site block, who I use for some of my clients, there's a curry, another one's out there, and the client, the customer, my customers don't really care who I'm using or how I'm doing it. They're paying me to have contact to me to do it. I sell it out based on each client, based on what I need, based on the risk factor that I put into them. Deprocated themes, deprecated plugins that clients don't want to pay to keep them maintained, I pay out of what they pay me to do it. It's worth it, so the site block's a great one, it's a crazy good one, you know, so there's a handful of those as well. Those are two bigs. Yeah, so basically Adam said if you don't want to do it, sell it. Sell it out. So we're friends, we're friends also, by the way. We're friends, yep. Security, we're friends. The question goes, have you seen somebody basically try to close the doors that are commonly hit online? So, rename WP.debt, dash add. So, security buy up, it's called security buy up security, right? Can you see anybody doing that? Are you talking about locking down the site so nobody can get access to it, like HTX is kind of. Can you name WP, the people that try to get that? Yeah, that was a practice that was, and is still being done. Honestly, it doesn't really do very much because they can still find them, so. Okay, so then the second question is have you seen anybody talking about the National Institute of Standards and Technology as a nice framework? It's the National Initiative for Cyber Security Education. They're missed as the ones that come up with the password. This is how you, this is the definition. Yeah, so we have, so at my company, we have an entire team that's dedicated to research and development, that's not me. I'm sure that we do, but I have not personally been involved with that initiative. I'm a member of the work group. Okay, so what was it called? It's the National Institute of Tech Standards and Technology. National Institute of Standards and Technology, NIST. And the initiative, it's a presidential initiative called NICE, which is National. Presidential initiative called NICE. And it's called the National Initiative for Cyber Security Education. Initiative for Cyber Security Education. So they have a whole new framework that they're basically pushing out. Oddly enough, I haven't seen anything talking about Wordpress. No one in the community is talking about applying it and they're not giving any guidance. I've seen the guidance coming. Are you on the security WordPress team? No. You should check that out, because we're always looking for people that want to get involved in WordPress. And if it's something that you're very knowledgeable about, it would probably be welcome if you wanted to contribute. And we would love to have you contribute. I think there's actually a connection now. Either WordCamp US, and Google was there, I think it was Google, because they're tying it in to do some support. I think it's Google, because they're like, right, to help make WordPress more secure of that aspect, so that way Google reports it better as a platform as well. Okay, so Adam said that Google was at WordCamp US and they are taking on initiatives to try to help make WordPress more secure also. Is there a person that you can say, this is who's looking at? In Wordpress Core? In the WordPress community, yeah. I don't know. The first person I'm talking about is Aaron, but I don't know if he's on that team anymore. Aaron Campbell? Yes. Possibly Aaron Campbell. But if you go to justwordpress.org, make.wordpress.org, there is a whole team dedicated to security. And if you get in touch, they will be happy to have you and someone will reach out to you right away and let you know what you can do. Yeah. Do you recommend SSL for all of you? Yeah, so SSL, yes. There's different levels of SSL. And then like eCommerce, all of that. Right, yeah, so SSL and HGP2 are additional like security pieces that you can put into place on your site. A lot of hosts offer a basic SSL that's fine, but if you're doing things like credit card gathering, you need to be up a little bit level. And then that's where PCI compliance comes into effect. If you're processing payments on your site, you have to make sure that you're PCI compliant and hopefully your developer knows that or at least your processor knows that and they will direct you to what you need to have in place for those because there are standards in place for that too. Yeah. It depends which level of PayPal you have. If you just have the PayPal standard, what it does is it redirects the buyer to the PayPal site and that is PCI compliant because the payments are not being taken on your own website. So the payments happen on Google, it says yes, it's been paid. They push the person back to your site and tell your site that it's been paid, but your site is not collecting credit card data. There's other levels of PayPal that are more advanced and for those payment types, you do have to look at that. So if you say a payment gateway, you don't have to do the day-to-day or the day-to-day on it. Well, my payment gateway wouldn't install on my WordPress site. It's good like that. Yeah, so she said that her payment gateway would not install until she was PCI compliant and yeah, that's true. So if your, that leads me into, I'm actually doing a talk at WorkCamp OC. I know it's all the way in the other side of the country but I'm actually talking about securing your e-commerce site and PCI compliance is a thing that I'm gonna be talking about a little bit more in-depth. We're out of time, but e-commerce way, way bigger for security. Way another talk. Thank you very much. Thank you. It was remarked about products. No, in the, in the preview. Closing.